RSA strives to help our customers minimize risk associated with security vulnerabilities in our products. Our goal is to provide customers with timely information, guidance, and mitigation options to address vulnerabilities. The RSA Product Security Incident Response Team (RSA PSIRT) is chartered and responsible for coordinating the response and disclosure for all product vulnerabilities that are reported to RSA.
If you identify a security vulnerability in any RSA product, please report it to us immediately. Security researchers, industry groups, vendors, and other users that do not have access to Technical Support should send vulnerability reports directly to the RSA PSIRT via email. Timely identification of security vulnerabilities is critical to mitigating potential risks to our customers.
RSA’s product customers and partners should contact their respective Technical Support team to report any security issues discovered in RSA products. The Technical Support team, appropriate product team and the RSA PSIRT will work together to address the reported issue and provide customers with next steps.
When reporting a potential vulnerability, please include as much of the below information as possible to help us better understand the nature and scope of the reported issue:
RSA believes in maintaining a good relationship with security researchers, and with their agreement, may recognize the researcher for finding a valid product vulnerability and privately reporting the issue. In return, we ask that researchers give us an opportunity to remediate the vulnerability before disclosing it publicly. RSA believes that coordinating the public disclosure of a vulnerability is key to protecting our customers.
According to this policy, all disclosed information about vulnerabilities is intended to remain between RSA and the reporting party—if the information is not already public knowledge—until a remedy is available and disclosure activities are coordinated.
After investigating and validating a reported vulnerability, we will attempt to develop and qualify the appropriate remedy for products under active support from RSA. A remedy may take one or more of the following forms:
RSA makes every effort to provide the remedy or corrective action in the shortest commercially reasonable time. Response timelines depend on many factors, such as the severity, impact, the remedy complexity, the affected component (e.g., some updates require longer validation cycles or can only be updated in a major release), the stage of the product within its lifecycle, and status of business operations, among others.
RSA currently uses the Common Vulnerability Scoring System version 3.1 (CVSS v3.1) open framework for communicating the characteristics and severity of RSA’s software vulnerabilities. Many factors, including the level of effort required to exploit a vulnerability as well as the potential impact to data or business activities from a successful exploit, are taken into consideration.
The overall impact of a security advisory is a textual representation of the severity (i.e., critical, high, medium, and low) that follows the CVSS Severity Qualitative Severity Rating Scale for the highest CVSS Base Score of all identified vulnerabilities. When and where applicable, RSA will provide an overall impact for the advisory and for each identified vulnerability the CVSS v3.1 Base Score and corresponding CVSS v3.1 Vector. RSA recommends that all customers take into account both the base score and any temporal and/or environmental metrics that may be relevant to their environment to assess their overall risk.
Usually, we communicate remedies to customers through RSA Security Advisories, where applicable. To protect our customers, RSA strives to release a Security Advisory once we have a remedy in place for any affected product(s). RSA may release Security Notices sooner to respond appropriately to public disclosures or widely known vulnerabilities in the components used within our products.
Security Advisories are intended to provide enough details to allow customers to assess the impact of vulnerabilities and to remedy potentially vulnerable products. Full details may be limited to reduce the likelihood that malicious users can take advantage of the information and exploit it to the detriment of our customers.
RSA Security Advisories will typically include the following information, as applicable:
RSA’s policy is not to provide information about the specifics of vulnerabilities beyond what is provided in the Security Advisory and related documentation, such as release notes, knowledgebase articles, FAQs, etc. We do not distribute exploit/proof of concept code for identified vulnerabilities. In accordance with industry practices, RSA does not share the findings from its internal security testing or other types of security activities with external entities.
If you need to report any other security issue to RSA, please use the appropriate contacts listed below:
|Security Issue||Contact Information|
|To report a security vulnerability or issue in RSA.com or other online service, web application or property||Submit a report at email@example.com with step-by-step instructions to reproduce the issue.|
|To submit privacy related requests or questions||See RSA Privacy page.|
RSA customers’ entitlements regarding warranties and support and maintenance—including vulnerabilities in any RSA software product—are governed by the applicable agreement between RSA and the individual customer. The statements on this web page do not modify, enlarge, or otherwise amend any customer rights or create any additional warranties.
All aspects of RSA’s Vulnerability Response Policy are subject to change without notice and on a case-by-case basis. Response is not guaranteed for any specific issue or class of issues. Your use of the information contained in this document or materials linked herein is at your own risk. RSA reserves the right to change or update this document in its sole discretion and without notice at any time.